From 52d283127497f1ff06510cde3f6f5d39c328a473 Mon Sep 17 00:00:00 2001 From: labkey-jeckels Date: Mon, 25 May 2026 19:54:13 -0700 Subject: [PATCH] GitHub Issue 1189: Update Google Analytics CSP --- .../src/org/labkey/core/analytics/AnalyticsServiceImpl.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/core/src/org/labkey/core/analytics/AnalyticsServiceImpl.java b/core/src/org/labkey/core/analytics/AnalyticsServiceImpl.java index 57acb0b3611..ac9c487d3fd 100644 --- a/core/src/org/labkey/core/analytics/AnalyticsServiceImpl.java +++ b/core/src/org/labkey/core/analytics/AnalyticsServiceImpl.java @@ -50,6 +50,7 @@ public class AnalyticsServiceImpl implements AnalyticsService { private static final String SEPARATOR = ","; private static final String GOOGLE_TAG_MANAGER_URL = "https://www.googletagmanager.com"; + private static final String GOOGLE_URL = "https://www.google.com"; private static final String ANALYTICS_CSP_KEY = AnalyticsServiceImpl.class.getName(); public static AnalyticsServiceImpl get() @@ -123,8 +124,9 @@ public void resetCSP() if (getTrackingStatus().contains(TrackingStatus.ga4FullUrl)) { - ContentSecurityPolicyFilter.registerAllowedSources(ANALYTICS_CSP_KEY, Directive.Connection, "https://*.googletagmanager.com", "https://*.google-analytics.com", "https://*.analytics.google.com"); - ContentSecurityPolicyFilter.registerAllowedSources(ANALYTICS_CSP_KEY, Directive.Image, "https://www.googletagmanager.com"); + // Per https://developers.google.com/tag-platform/security/guides/csp (plus other variants we have seen in the wild) + ContentSecurityPolicyFilter.registerAllowedSources(ANALYTICS_CSP_KEY, Directive.Connection, "https://*.googletagmanager.com", "https://*.google-analytics.com", "https://*.analytics.google.com", GOOGLE_URL); + ContentSecurityPolicyFilter.registerAllowedSources(ANALYTICS_CSP_KEY, Directive.Image, GOOGLE_TAG_MANAGER_URL); } }